Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nrf_security: Refactor get_opaque_size function #19731

Merged
merged 1 commit into from
Jan 16, 2025
Merged

nrf_security: Refactor get_opaque_size function #19731

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion subsys/nrf_security/src/drivers/cracen/cracenpsa/include/cracen_psa.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,7 +247,7 @@ psa_status_t cracen_copy_key(psa_key_attributes_t *attributes, const uint8_t *so

psa_status_t cracen_destroy_key(const psa_key_attributes_t *attributes);

size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes);
psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size);

psa_status_t cracen_jpake_setup(cracen_jpake_operation_t *operation,
const psa_key_attributes_t *attributes, const uint8_t *password,
Expand Down
24 changes: 15 additions & 9 deletions subsys/nrf_security/src/drivers/cracen/cracenpsa/src/common.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -806,26 +806,28 @@ psa_status_t cracen_load_keyref(const psa_key_attributes_t *attributes, const ui
return PSA_SUCCESS;
}

size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes)
psa_status_t cracen_get_opaque_size(const psa_key_attributes_t *attributes, size_t *key_size)
{
if (PSA_KEY_LIFETIME_GET_LOCATION(psa_get_key_lifetime(attributes)) ==
PSA_KEY_LOCATION_CRACEN) {
switch (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes))) {
case CRACEN_BUILTIN_IDENTITY_KEY_ID:
if (psa_get_key_type(attributes) ==
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)) {
return sizeof(ikg_opaque_key);
*key_size = sizeof(ikg_opaque_key);
return PSA_SUCCESS;
}
break;
case CRACEN_BUILTIN_MEXT_ID:
case CRACEN_BUILTIN_MKEK_ID:
if (psa_get_key_type(attributes) == PSA_KEY_TYPE_AES) {
return sizeof(ikg_opaque_key);
*key_size = sizeof(ikg_opaque_key);
return PSA_SUCCESS;
}
break;
#ifdef CONFIG_PSA_NEED_CRACEN_PLATFORM_KEYS
default:
return cracen_platform_keys_get_size(attributes);
return cracen_platform_keys_get_size(attributes, key_size);
#endif
}
}
Expand All @@ -835,15 +837,19 @@ size_t cracen_get_opaque_size(const psa_key_attributes_t *attributes)
if (PSA_KEY_TYPE_IS_ECC(psa_get_key_type(attributes))) {
if (psa_get_key_type(attributes) ==
PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)) {
return PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(
*key_size = PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(
psa_get_key_type(attributes), psa_get_key_bits(attributes));
} else {
*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
}
return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
} else if (psa_get_key_type(attributes) == PSA_KEY_TYPE_HMAC) {
return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
} else {
return sizeof(kmu_opaque_key_buffer);
*key_size = sizeof(kmu_opaque_key_buffer);
}
tomi-font marked this conversation as resolved.
Show resolved Hide resolved

return PSA_SUCCESS;
}
return 0;

return PSA_ERROR_INVALID_ARGUMENT;
}
32 changes: 25 additions & 7 deletions subsys/nrf_security/src/drivers/cracen/cracenpsa/src/key_management.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -880,12 +880,18 @@ psa_status_t cracen_import_key(const psa_key_attributes_t *attributes, const uin
MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)));
psa_key_attributes_t stored_attributes;

if (key_buffer_size < cracen_get_opaque_size(attributes)) {
return PSA_ERROR_BUFFER_TOO_SMALL;
size_t opaque_key_size;
psa_status_t status = cracen_get_opaque_size(attributes, &opaque_key_size);

if (status != PSA_SUCCESS) {
return status;
}

psa_status_t status = cracen_kmu_provision(attributes, slot_id, data, data_length);
if (key_buffer_size < opaque_key_size) {
return PSA_ERROR_BUFFER_TOO_SMALL;
}

status = cracen_kmu_provision(attributes, slot_id, data, data_length);
if (status != PSA_SUCCESS) {
return status;
}
Expand Down Expand Up @@ -1182,6 +1188,9 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
psa_key_attributes_t *attributes, uint8_t *key_buffer,
size_t key_buffer_size, size_t *key_buffer_length)
{
size_t opaque_key_size;
psa_status_t status = PSA_ERROR_INVALID_ARGUMENT;

/* According to the PSA Crypto Driver specification, the PSA core will set the `id`
* and the `lifetime` field of the attribute struct. We will fill all the other
* attributes, and update the `lifetime` field to be more specific.
Expand All @@ -1199,12 +1208,17 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
PSA_KEY_USAGE_VERIFY_HASH |
PSA_KEY_USAGE_VERIFY_MESSAGE);

status = cracen_get_opaque_size(attributes, &opaque_key_size);
if (status != PSA_SUCCESS) {
return status;
}

/* According to the PSA Crypto Driver interface proposed document the driver
* should fill the attributes even if the buffer of the key is too small. So
* we check the buffer here and not earlier in the function.
*/
if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
*key_buffer_length = cracen_get_opaque_size(attributes);
if (key_buffer_size >= opaque_key_size) {
*key_buffer_length = opaque_key_size;
*((ikg_opaque_key *)key_buffer) =
(ikg_opaque_key){.slot_number = slot_number,
.owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
Expand All @@ -1226,11 +1240,15 @@ psa_status_t cracen_get_builtin_key(psa_drv_slot_number_t slot_number,
psa_set_key_usage_flags(attributes,
PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_VERIFY_DERIVATION);

status = cracen_get_opaque_size(attributes, &opaque_key_size);
if (status != PSA_SUCCESS) {
return status;
}
/* See comment about the placement of this check in the previous switch
* case.
*/
if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
*key_buffer_length = cracen_get_opaque_size(attributes);
if (key_buffer_size >= opaque_key_size) {
*key_buffer_length = opaque_key_size;
*((ikg_opaque_key *)key_buffer) =
(ikg_opaque_key){.slot_number = slot_number,
.owner_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(
Expand Down
11 changes: 9 additions & 2 deletions subsys/nrf_security/src/drivers/cracen/cracenpsa/src/kmu.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -901,6 +901,7 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number,
{
kmu_metadata metadata;
psa_status_t status = read_primary_slot_metadata(slot_number, &metadata);
size_t opaque_key_size;

if (status != PSA_SUCCESS) {
return status;
Expand All @@ -921,8 +922,14 @@ psa_status_t cracen_kmu_get_builtin_key(psa_drv_slot_number_t slot_number,
return status;
}

if (key_buffer_size >= cracen_get_opaque_size(attributes)) {
*key_buffer_length = cracen_get_opaque_size(attributes);

status = cracen_get_opaque_size(attributes, &opaque_key_size);
if (status != PSA_SUCCESS) {
return status;
}

if (key_buffer_size >= opaque_key_size) {
*key_buffer_length = opaque_key_size;
kmu_opaque_key_buffer *key = (kmu_opaque_key_buffer *)key_buffer;

key->key_usage_scheme = metadata.key_usage_scheme;
Expand Down
14 changes: 6 additions & 8 deletions subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -520,26 +520,24 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number,
return PSA_ERROR_CORRUPTION_DETECTED;
}

size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes)
psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes, size_t *key_size)
{
platform_key key;
key_type type = find_key(MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psa_get_key_id(attributes)), &key);
psa_key_type_t key_type = psa_get_key_type(attributes);

if (type == INVALID) {
return 0;
}

if (type == IKG) {
return sizeof(ikg_opaque_key);
*key_size = sizeof(ikg_opaque_key);
return PSA_SUCCESS;
}

if (key_type == PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_TWISTED_EDWARDS) ||
key_type == PSA_KEY_TYPE_AES) {
return PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
*key_size = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
return PSA_SUCCESS;
}

return 0;
return PSA_ERROR_INVALID_ARGUMENT;
Vge0rge marked this conversation as resolved.
Show resolved Hide resolved
}

psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime,
Expand Down
3 changes: 2 additions & 1 deletion subsys/nrf_security/src/drivers/cracen/cracenpsa/src/platform_keys/platform_keys.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ psa_status_t cracen_platform_get_builtin_key(psa_drv_slot_number_t slot_number,
psa_key_attributes_t *attributes, uint8_t *key_buffer,
size_t key_buffer_size, size_t *key_buffer_length);

size_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes);
psa_status_t cracen_platform_keys_get_size(psa_key_attributes_t const *attributes,
size_t *key_size);

psa_status_t cracen_platform_get_key_slot(mbedtls_svc_key_id_t key_id, psa_key_lifetime_t *lifetime,
psa_drv_slot_number_t *slot_number);
Expand Down
6 changes: 2 additions & 4 deletions subsys/nrf_security/src/psa_crypto_driver_wrappers.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -463,8 +463,7 @@ psa_driver_wrapper_get_key_buffer_size_from_key_data(const psa_key_attributes_t
#if defined(PSA_NEED_CRACEN_KMU_DRIVER)
case PSA_KEY_LOCATION_CRACEN_KMU:
#endif
*key_buffer_size = cracen_get_opaque_size(attributes);
return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_INVALID_ARGUMENT;
return cracen_get_opaque_size(attributes, key_buffer_size);
#endif
default:
(void)key_type;
Expand Down Expand Up @@ -503,8 +502,7 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(const psa_key_attributes_t *
#if defined(PSA_NEED_CRACEN_KMU_DRIVER)
case PSA_KEY_LOCATION_CRACEN_KMU:
#endif
*key_buffer_size = cracen_get_opaque_size(attributes);
return *key_buffer_size != 0 ? PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED;
return cracen_get_opaque_size(attributes, key_buffer_size);
#endif
#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
Expand Down